Swedish healthcare advice line stored 2.7 million patient phone calls on unprotected web server
Recordings of 170,000 hours of calls made to the Vårdguiden 1177 healthcare line were left on an open web server provided by Swedish company Voice Integrate Nordic AB.
An anonymous tip off to Computer Sweden, revealed that calls dating back to 2013, were stored without encryption or password protection, meaning they could be accessed by anyone with a web browser.
The data breach occurred in the three regions of Stockholm, Värmland and Sörmland, which were outsourced to subcontractor Medicall, and used the Voice Integrate call centre system.
Swedish health minister Lena Hallengren called the breach “very serious and startling”.
“No region can renounce its responsibility in regard to patient security or the protection of sensitive personal data,” she said.
A statement from MedHelp, the company which runs the 1177 service, confirmed the server had been shut down following discovery of a security issue on Monday (18).
It has since discovered that 55 call files have been illegally downloaded from seven different IP addresses.
Of these, nine contained personal information identifying the caller and a further 16 identified the callers’ phone numbers.
MedHelp said it is carrying out an “IT forensic investigation to map exactly what has happened and secure evidence,” which it will submit to the Swedish Data Inspection Board and the police.
What’s the impact
Professor Hans Rutberg, head of the Swedish Society of Medicine’s patient safety committee, told Healthcare IT News the public would be put off from calling the 1177 helpline if they did not trust their data was secure, which “could impact patient safety in the long run.”
He added: “It is very unfortunate this has happened and it is of course, against Swedish regulations and legislation.”
What’s the trend
Callers to the 1177 telephone service commonly discuss their medical symptoms and disclose personal information such as social security numbers.
This would be considered sensitive personal information under the General Data Protection Regulation.
‘Article 32 of the GDPR states that organisations must implement secure processing, taking into account the state of the art,” said Adam Brown, manager of security solutions at technology company Synopsys.
“This doesn’t look like the data processor has a defensible position in this case."
Sweden’s patient safety regulations also state that saved audio files should be treated confidentially.
“This is likely the worst privacy breach in Sweden in modern time,” said Martin Jartelius, CSO at cyber assessment company, Outpost24.
“It is due to not only a lapse in security, but a complete lack of any form of protection.”
On the record
“We take this matter very seriously and are working hard to investigate what has happened,” Värmland region healthcare director, Tobias Kjellberg, told Healthcare IT News.
Inera, the company which works with MedHelp to coordinate the 1177 service, said it was working with the affected regions and subcontractors “to analyze the problem and ensure it is rectified”.
Stockholm and Sörmland regions had not responded to a request for comment at the time of publication.